Security firm F-Secure says that the Downadup worm has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October.What makes this worm interesting is the ability its creators have put in place to update all of the infected machines each day. While most malware networks may have a few domains each infected machine will use to "call home" and get updates, the Downadup authors have created a system where an algorithm generates many different domains every day. Here's how F-Secure explained it in its blog post:
It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.
Hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org.
This makes it impossible and/or impractical for us good guys to shut them all down - most of them are never registered in the first place.
However, all the creators have to do is register one of the domains that will be generated, and they can update the worm do pretty much do whatever they wish. They could, for example, create a massive botnet to launch denial-of-service attacks from the 3.5 million systems. Or, they could use the worm to seed yet another massive worm infestation on additional PCS.
Of course, much of this this pain could have been avoided if more users had patched the vulnerability in how Windows processes remote procedure call (RPC) requests by the Windows Server service. In fact, in bulletin MS08-067, Microsoft issued a critical out-of-band patch to fix this flaw.
Too bad not enough of us listened.